This may be an apache question more that actual PHP, but anyway:
Is it possible to write a few lines in a .htaccess file that only allows the contents of that folder to be viewed by those who have $_SESSION['username'] set? I need to protect the contents of a folder for those who are not yet logged onto the site.
Use .htaccess and PHP session together - is it possible?
Moderator: General Moderators
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Re: Use .htaccess and PHP session together - is it possible?
Why not just do this at the top of each file?ecce wrote:This may be an apache question more that actual PHP, but anyway:
Is it possible to write a few lines in a .htaccess file that only allows the contents of that folder to be viewed by those who have $_SESSION['username'] set? I need to protect the contents of a folder for those who are not yet logged onto the site.
Code: Select all
<?php
session_start();
if (!isset($_SESSION['username'])) header("Status: 404 Not Found");
?>- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
With the correct headers being sent back to the browser the client will see the same as if the user entered in invalid URL. If all the file are .html then set the web server to parse .html with the PHP interpreter and use auto_prepend_file to include a bit of code that does a check then sends headers end exits if there's a problem (I think that's what the ini setting is).ecce wrote:I store Cisco proprietary materials on the server, and modifying the .html files is a bad idea. Unauthorized people should not be able to access the material by entering a direct URL.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
feyd | Please use
secure.php[/syntax]
It sure runs the php script, but the $_SESSION array is totally empty, although I am logged in. The link is opened in a new window, but that usually doesn't bother sessions as long as it is the same browser, right? If I remove all of the URL exept the server name and hit enter (so I get to the start page) it says I'm logged in.
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
I think the suggested solution from d11wtq was a great idea, and I've tried to implement it. I ran into trouble, so please help me though this if you can. These are the .htaccess file and php code:
.htaccess
[syntax="apache"]
AddType application/x-httpd-php .html
AddType application/x-httpd-php .htm
php_value auto_prepend_file /var/www/html/curriculum/secure.php
secure.php[/syntax]
Code: Select all
<?php
session_start();
if(empty($_SESSION['username']))
{
echo "You must be logged in to view the Cisco curriculum.<br />";
echo print_r($_SESSION); //debug
exit();
}
?>feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]